default.nix (1762B)
1 { config, lib, pkgs, ... }: 2 3 let 4 common = { 5 sopsFile = ../../../secrets/secrets.yaml; 6 mode = "444"; 7 owner = "root"; 8 group = "root"; 9 }; 10 in 11 { 12 imports = [ 13 ./binfmt.nix 14 ./boot.nix 15 ./config.nix 16 ./i18n.nix 17 ./nix.nix 18 ./users.nix 19 ]; 20 21 environment.systemPackages = with pkgs; [ 22 cachix 23 file 24 htop 25 iotop 26 lsof 27 netcat 28 psmisc 29 pv 30 tree 31 vim 32 wget 33 ]; 34 # FIXME fix tmpOnTmpfs 35 # systemd.additionalUpstreamSystemUnits = [ "tmp.mount" ]; 36 37 security.sudo = { 38 extraConfig = '' 39 Defaults env_keep += SSH_AUTH_SOCK 40 ''; 41 }; 42 43 sops.secrets."minica.pem" = { 44 inherit (common) mode owner group sopsFile; 45 path = "/etc/ssl/certs/minica.pem"; 46 }; 47 sops.secrets."redhat.pem" = { 48 inherit (common) mode owner group sopsFile; 49 path = "/etc/ssl/certs/redhat.pem"; 50 }; 51 # security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" "/etc/ssl/certs/minica.pem" ]; 52 53 # Only keep the last 500MiB of systemd journal. 54 services.journald.extraConfig = "SystemMaxUse=500M"; 55 56 # Clear out /tmp after a fortnight and give all normal users a ~/tmp 57 # cleaned out weekly. 58 systemd.tmpfiles.rules = [ "d /tmp 1777 root root 14d" ] ++ 59 ( 60 let mkTmpDir = n: u: "d ${u.home}/tmp 0700 ${n} ${u.group} 7d"; 61 in lib.mapAttrsToList mkTmpDir (lib.filterAttrs (_: u: u.isNormalUser) config.users.extraUsers) 62 ); 63 64 systemd.services."status-email-root@" = { 65 description = "status email for %i to vincent"; 66 serviceConfig = { 67 Type = "oneshot"; 68 ExecStart = '' 69 ${pkgs.my.systemd-email}/bin/systemd-email vincent@demeester.fr %i 70 ''; 71 User = "root"; 72 Environment = "PATH=/run/current-system/sw/bin"; 73 }; 74 }; 75 }